Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
22-05-2024 01:34
General
-
Target
7ac323778529109c8a88da5cfba509a424f0b2a1515180ec82b1459ebeac9e3b.dll
-
Size
120KB
-
MD5
423ebc006b6fcd8ec3b6a1fe5a167618
-
SHA1
29e7e3dbdebf3f23a6cc2c7ff29c7677e8d2a6ec
-
SHA256
7ac323778529109c8a88da5cfba509a424f0b2a1515180ec82b1459ebeac9e3b
-
SHA512
9af7eb5354967a7e4aeb7ce2f89c5670ef1be06f52a50c46474abf0fed6e3a5a0b332bd88e5973b6a7c30c7311bcfb2ba3a90ccfb14250e13431646200f5334f
-
SSDEEP
3072:Qh26F5ZpdPl0r4KDylytxN9UyIBI/RR0+ITIIL46TG:j6FPlW6yH/JITIIL46TG
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
-
UPX dump on OEP (original entry point) 29 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ac323778529109c8a88da5cfba509a424f0b2a1515180ec82b1459ebeac9e3b.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ac323778529109c8a88da5cfba509a424f0b2a1515180ec82b1459ebeac9e3b.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7617c5.exeC:\Users\Admin\AppData\Local\Temp\f7617c5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7619d7.exeC:\Users\Admin\AppData\Local\Temp\f7619d7.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f763360.exeC:\Users\Admin\AppData\Local\Temp\f763360.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD52a557494865b1797d0b7ee9d99c8a2e5
SHA1fba228efdf49c49703a6a90314dd823699549aba
SHA256cc557c845ff8b6454efae2b5be812e06da1577e118673a4beee12458d8f511f0
SHA5128ade2ffbde3c4ecb27ca908e94f3371c43085cf7e8c1bffc394cbc3676b0e56bdf8ab8ac418127d836b30e370b0e59cb63a54cee0466d263f6a3977cfcb6ae4d
-
\Users\Admin\AppData\Local\Temp\f7617c5.exeFilesize
97KB
MD56d157d3f29f89e01b8ebc4e807d62fe3
SHA1586f4133526571093752da546591ad3ad3549c14
SHA256e9bb058b32ffd69c92eed95c89f0fa9cb87c962df8932bfd858942b3f50a673b
SHA5124185cccbe7d7c170b273aa3c3b69beebfd083d0cf1a6c402bebf5d714cc18a053d8deeb2f2ac091bbc1adcd70f51c869e0c54ff37f8ee925403870992c91aea0
-
memory/1248-25-0x0000000000210000-0x0000000000212000-memory.dmpFilesize
8KB
-
memory/2264-37-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2264-8-0x0000000000150000-0x0000000000162000-memory.dmpFilesize
72KB
-
memory/2264-59-0x0000000000260000-0x0000000000272000-memory.dmpFilesize
72KB
-
memory/2264-55-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2264-35-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2264-76-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2264-79-0x0000000000150000-0x0000000000162000-memory.dmpFilesize
72KB
-
memory/2264-80-0x0000000000450000-0x0000000000462000-memory.dmpFilesize
72KB
-
memory/2264-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2264-56-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2264-39-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2460-158-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2460-105-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2460-98-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2460-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2460-97-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2516-62-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-17-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-48-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/2516-15-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-46-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/2516-19-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-61-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-21-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-63-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-64-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-65-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-67-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-68-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2516-82-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-14-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-16-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-58-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/2516-87-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-88-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-22-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-13-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-153-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-108-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-154-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2516-20-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-18-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/2516-130-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/2884-103-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2884-104-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2884-106-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2884-83-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2884-171-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2884-209-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2884-208-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB